Skip to content

Host Scanner Changelog

This is the list of version numbers of the Cryptosense Host Scanner. Each version number is shown with a list of changes brought by that version.

0.9.6 - 2022-09-15

Changed

  • [PEM] Extract all certificates from concatenated PEM files.

Added

  • [General] Added the --password option to try the decryption of PBE encrypted informations.
  • [PKCS#12] Extract content of Data items.
  • [PKCS#12] Extract content of EncryptedData items if --password is provided and decryption succeeds.
    • Support of PBES2 encryption with pbkdf2 as KDF, AES-(128/192/256)-(ECB/CBC) and 3DES-CBC as encryption schemes.
    • Other algorithms are not decrypted but the algorithm names are exported for analysis.

0.9.5 - 2022-06-28

Changed

  • Deprecate the --include-keys option. Keys are now included by default.
  • Detect PEM blocks preceded by some plain text, up to 32 kiB after the beginning of the file. Previously PEM content was only detected at the beginning of a file.

Added

  • Detect JCEKS keystores and extract their content, if unencrypted.
  • Add support for Windows.

Fixed

  • Fix crash on certificates containing invalid UTF-8 strings inside distinguished names.
  • Fix crash on some malformed PGP keys.
  • Increase robustness of scanner against parsing bugs by making it recover and continue scanning.
  • Fix a situation where some combinations of command-line options caused the same parser modules to be applied to files more than once.
  • Ensure correct JSON encoding of the trace header (e.g. correct escaping of \ characters in Windows file paths).
  • Fix crash on keystore private key entries with empty certificate chains.
  • Fix failure to detect PEM files with Windows CRLF line endings.
  • Fix crash on some special files where true and reported file lengths differ (e.g. in /sys).

0.9.4 - 2022-04-08

Changed

  • Change the --max-file-size option to interpret 0 as "no size limit". Any strictly positive value is interpreted the same way as before (file cutoff in bytes).

Fixed

  • Improve encoding of certificate serial numbers so that such certificates have a better chance of being correctly matched with certificates coming from other sources such as the Java Tracer.
  • Improve performance of scanning:
    • Improve detection of ASN.1 files to reduce memory usage and time spent in scans.
    • Exclude CPIO and system map files from scan.

0.9.3 - 2022-03-02

Added

  • Add option --max-file-size to change the size limit for scanned files. The default value is 1 MB.

Changed

  • Limit the amount of data read from any single file to 1 MB by default. This avoids performance issues when large files are mistaken for ASN.1 files.

Fixed

  • Prevent the host scanner from missing some files when /sys is in the scope of the scan, even if those files are outside of /sys.

0.9.2 - 2022-02-01

Added

  • Add initial support for PKCS#12 keystores

Changed

  • Fix host name for Docker image scans: it now reports the image name.

0.9.1 - 2021-10-29

Fixed

  • Fix container image file locations to not contain the temporary prefix used for scanning (e.g. /etc/ssl/cert.pem instead of /tmp/tmp_name/etc/ssl/cert.pem).

0.9.0 - 2021-10-13

Added

  • Add initial support for PGP keys.

0.8.0 - 2021-08-04

Fixed

  • Catch and handle "end of file" errors coming from the Java static scanner if it is used in combination with the host scanner.

0.7.1 - 2021-07-29

Added

  • Add on-the-fly gzip compression of scans.

Fixed

  • Fix stack overflow when scanning files with a large number of line breaks.
  • Improve error message when the host scanner is used in combination with the Java static scanner.

Changed

  • Rename CLI option --static_scanner_path to --static-scanner-path
  • Rename CLI option --image_name to --image-name

0.7.0 - 2021-07-09

Added

  • Add Docker image scanning.

0.6.0 - 2021-06-11

Added

  • Add support for EC and DSA private keys and certificates.
  • Add support for DER encoding.
  • Include encoded certificates in the scan file.

0.5.0 - 2021-04-16

Added

  • Add hard-coded strings parsing of JAR files.

0.4.0 - 2021-02-10

Added

  • Add parsing of JKS keystores.

0.3.0 - 2020-04-27

Added

  • Add a progress bar showing the number of files scanned.

Changed

  • Change log level of "Unknown OID" message from warning to debug.

Fixed

  • Improve performance on large directory trees: less RAM usage, less computing and fewer syscalls.
  • Fix file being counted twice, and potential infinite loop, by not following symbolic links.
  • Fix freeze on files without an end, such as some special files in /sys/kernel.

0.2.0 - 2020-04-16

Changed

  • Make host scanner a lot less verbose by default.

Fixed

  • Fix stack overflow when scanning large directories.

Added

  • Add --verbose and --quiet options to control the verbosity.

0.1.0 - 2020-04-07

Initial release.